I'm setting up a small app using AWS-amplify.

Due to the the queries I needed to perform I needed to use a SQL database. I've therefore made an Aurora database and connected in to my amplify graphql API via the "amplify api add-graphql-datasource" command.

This generates the cloudformation templates for the resolvers to perform basic CRUD operations on the Aurora DB.

I wanted to perform some dynamic queries like:

"SELECT * FROM Question Where type = {ctx.input.type}"

How do I protect the gql input from sql-injection attacks?

Does VTL have a custom function which will escape these inputs? - or alternatively throw an error if a special character exists?

I know i could setup either write all of this logic in the vtl resolver or create a pipeline resolver that does all of this in a node lambda but just wondering if there is a simpler solution.


Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Browse other questions tagged or ask your own question.